Charter for Working Group

The System for Cross-domain Identity Management (SCIM) working groupwill standardize methods for creating, reading, searching, modifying,and deleting user identities and identity-related objects acrossadministrative domains, with the goal of simplifying common tasksrelated to user identity management in services and applications.

"Standardize" does not necessarily mean that the working group willdevelop new technologies. The existing specifications for "SCIM 1.0"provide RESTful interfaces on top of HTTP rather than defining a newapplication protocol. That will be the basis for the new work.

Today, distributed identity management across administrative domainsis complicated by a lack of protocol and schema standardizationbetween consumers and producers of identities. This has led to anumber of approaches, including error-prone manual administration andbulk file uploads, as well as proprietary protocols and mediationdevices that must be adapted to each service for each organization.While there is existing work in the field, it has not been widelyadopted for a variety of reasons, including a lack of common artifactssuch as schema, toolsets, and libraries.

The SCIM working group will develop the core schema and interfacesbased on HTTP and REST to address these problems. Initially, thegroup will focus on- a schema definition- a set of operations for creation, modification, and deletion of users- schema discovery- read and search- bulk operations- mapping between the inetOrgPerson LDAP object class (RFC 2798) and the SCIM schema

It will follow that by considering extensions for client targeting ofspecific SCIM endpoints and SAML binding. The approach will beextensible.

The group will use, as starting points, the following drafts in thefollowing ways: draft-scim-use-cases-00 as the initial use cases for SCIM draft-scim-core-schema-00 as the schema specification draft-scim-api-00 as the protocol specification

These drafts are based on existing specifications, which together arecommonly known as SCIM 1.0. Because there is existing work withexisting implementations, some consideration should be given tobackward compatibility, though getting it right takes priority. Thisgroup will consider the operational experience gathered from theexisting work, as well as experiences with work done by other bodies,including the OASIS Provisioning TC.

The use cases document will be a "living document", guiding theworking group during its development of the standards. The group maytake snapshots of that document for Informational publication, toserve as documentation of the motivation for the work in progressand to similarly guide planning and implementation.

The group will produce Proposed Standards for a schema, a REST-basedprotocol, and a SAML binding, as well as an Informational documentdefining an LDAP mapping. In doing so, the group will make theterminology consistent, identify any functional gaps that would beuseful for future work, address internationalization, and provideguidelines and mechanisms for extensibility.

In addition, the working group will ensure that the SCIM protocolembodies good security practices. Given both the sensitivity of theinformation being conveyed in SCIM messages and the regulatoryrequirements regarding the privacy of personally identifiableinformation, the working group will pay particular attention to issuesaround authorization, authenticity, and privacy.

The group considers the following out of scope for this group: Defining new authentication schemes Defining new policy/authorization schemes